Links Found between NSA, Regin Spy tool and QWERTY Keylogger

​Researchers have uncovered a new evidence that a powerful computer program discovered last year, called "Regin", is "identical in functionality" to a piece of malware used by the National Security Agency (NSA) and itsFive Eyes allies.

REGIN MALWARE

"Regin" is a highly advanced, sophisticated piece of malware the researchers believe was developed by nation state to spy on a wide-range of international targets including governments, infrastructure operators and other high-profile individuals since at least 2008.

Regin was first discovered in November 2014 by the researchers at antivirus software maker Symantec and was said to be more sophisticated than both Stuxnet and Duqu.

The malware alleged to have been used against targets in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Russia and Syria, among others.

The recent evidence comes from the journalists at Der Spiegel who published the source code for a malicious program code-named 'QWERTY' – "a piece of software designed to surreptitiously intercept all keyboard keys pressed by the victim and record them for later inspection."

QWERTY KEYLOGGER MALWARE

The malicious program was revealed earlier this month when Der Spiegel magazine published a detailed article on the US National Security Agency's cyber espionage operations based on documents obtained from the former NSA contractor Edward Snowden.

The QWERTY program is included in the malware products used by the NSA and other intelligence agencies worldwide that are part of the Five Eyes Alliance (US, Australia, Canada, New Zealand and the United Kingdom) in order to eavesdrop and conduct destructive cyber operations on targets.

QWERTY = REGIN

After examining QWERTY’s code, the security analysts at Kaspersky Labs concluded that the keylogger’s source code can be linked to 'Regin,' and that the malware developers of QWERTY and Regin are either the same, or work closely together.

Moreover, the researchers also found that both QWERTY and the 50251 plug-in depend on a different module of the Regin platform identified as 50225 which relies on kernel hooking functions. This strongly proves that QWERTY can only operate as part of the Regin platform.

"Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together," Costin Raiu and Igor Soumenkov, researchers at Kaspersky’s Securelist blog, said on Tuesday.

Der Spiegel reported that QWERTY is likely a plug-in of a unified malware framework codenamed WARRIORPRIDE that is been used by all Five Eye partners. Also, it is several years old and has likely already been replaced.

However, the link between QWERTY and Regin suggests that the cyber espionage malware platform, security researchers call Regin, is none other than WARRIORPRIDE. 

Regin tool has also been linked to hacks which targeted the International Atomic Energy Agency based in Austria and the 2011 attack on European Commission computers, Spiegel said.

Refernce: http://thehackernews.com/2015/01/nsa-regin-qwerty-keylogger_27.html

Critical GHOST vulnerability affects most Linux Systems

A highly critical vulnerability has been unearthed in the GNU C Library (glibc), a widely used component of most Linux distributions, that could allow attackers to execute malicious code on servers and remotely gain control of Linux machines.

The vulnerability, dubbed "GHOST" and assigned CVE-2015-0235, was discovered and disclosed by the security researchers from Redwood Shores, California-based security firm Qualys on Tuesday.

CRITICAL AS HEARTBLEED AND SHELLSHOCK

GHOST is considered to be critical because hackers could exploit it to silently gain complete control of a targeted Linux system without having any prior knowledge of system credentials (i.e. administrative passwords).

The flaw represents an immense Internet threat, in some ways similar to the Heartbleed, Shellshock andPoodle bugs that came to light last year.

WHY GHOST ?

The vulnerability in the GNU C Library (glibc) is dubbed GHOST because it can be triggered by the library'sgethostbyname family of functions. Glibc is a repository of open-source software written in the C and C++ coding languages that defines system calls.

The problem actual originates from a heap-based buffer overflow found in the __nss_hostname_digits_dots()function in glibc. This function is especially invoked by the _gethostbyname and gethostbyname2() function calls.

According to the researchers, a remote attacker has ability to call either of these functions which could allow them to exploit the vulnerability in an effort to execute arbitrary code with the permissions of the user running the application.

EXPLOIT CODE

In an attempt to highlight the severity of the risk, security researchers were able to write proof-of-concept exploit code that is capable to carry out a full-fledged remote code execution attack against the Exim mail server.

The researcher’s exploit able to bypass all existing exploit protections (like ASLR, PIE and NX) available on both 32-bit and 64-bit systems, including position independent executions, address space layout randomization and no execute protections.

Using the exploit, an attacker is able to craft malicious emails that could automatically compromise a vulnerable server without the email even being opened, according to Amol Sarwate, director of engineering with Qualys.

So far, the company has not published the exploit code to the public but eventually it plans to make the exploit available as a Metasploit module.

VERSIONS AFFECTED

The vulnerability affects versions of glibc as far back as glibc-2.2, which was released in 2000.

In addition to Exim mail server, server software vulnerable to GHOST includes Apache, Exim, Sendmail, Nginx, MySQL, CUPS, Samba and many others, according to a later post by Qualys researchers on the Full Disclosure mailing list.

"Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example," researchers from Qualys said in an advisory published Tuesday.

FIXES AVAILABLE FOR SOME LINUX DISTRIBUTIONS

However, major distributors of the Linux operating system, including Red Hat, Debian and Ubuntu, updated their software on Tuesday to thwart the serious cyber threat. In order to update systems, core functions or the entire affected server reboot is required.

Red Hat, the No. 1 provider of Linux software to businesses, recommends its customers to update their systems "as soon as possible to mitigate any potential risk."

Refrence: http://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html

Taylor Swift's Twitter and Instagram Accounts Hacked

The very popular Pop star Taylor Swift became the latest celebrity to have their social media accounts hacked on Tuesday.

The 25-year-old "Shake It Off" singer, who has the fourth-most popular Twitter account with 51.4 million followers, appeared to be asking her millions of followers to follow @veriuser and @lizzard.

Swift confirmed that her Twitter and Instagram accounts were hacked on Tuesday afternoon, and also that the rogue posts were quickly removed from the social media websites.

"My Twitter got hacked but don't worry, Twitter is deleting the hacker tweets and locking my account until they can figure out how this happened and get me new passwords," said a statement posted on Swift's personal Tumblr page.

The accounts were taken for just 15 minutes, but when it belongs to Taylor Swift, that makes it a big hit. At the time, a Tweet went out from @TaylorSwift13 to her millions of fans, saying, "go follow my boy, @lizzard :)"

Yes Lizzards are the same guys who recently took down Sony's PlayStation game networks, among other things, as @lizzard profile claimed to be the "Leader of Lizard Squad" — the hacking group that's ostensibly behind this attack.

The hackers not only took over her social media accounts, but also threatened Taylor Swift to release here nude pictures, on which the pop star says "none existed."

"Any hackers saying they have 'nudes'?" Swift tweeted after retaking control of her Twitter account. "Psssh you'd love that wouldn't you! Have fun photo-shopping cause you got NOTHING."

An Instagram photo sent out from Swift's account with over 20 million followers urged her fans to follow another user supposedly involved in the Twitter hack.

Both the Instagram photo and the rogue Tweets from her accounts have vanished. However, @lizzard and @veriuser's Twitter accounts have been suspended by Twitter.

Swift even mimicked the lyrics to her hit "Shake It Off" by tweeting, "Cause the hackers gonna hack, hack, hack, hack, hack ..."

Though, hacking the fourth largest profile on Twitter makes the hack one of the higher-profile breaches that has occurred on the network.

Refrence: http://thehackernews.com/2015/01/taylor-swift-twitter-instagram-hacked.html